The OWASP Podcast Series
186 episodes - English - Latest episode: 10 months ago - ★★★★★ - 23 ratingsThe OWASP Podcast Series is a recorded series of discussions with thought leaders and practitioners who are working on securing the future for coming generations.
Homepage Apple Podcasts Google Podcasts Overcast Castro Pocket Casts RSS feed
Episodes
AppSec USA 2016 Pre-Conference Update
September 09, 2016 03:44 - 16 minutes - 15.4 MBFrom October 11 - 14, 2016, appsec professionals from around the world will gather in Washington DC to participate in one of this year's main OWASP events, AppSec USA 2016. In this broadcast, I speak with three organizers of the event (Andrew Weidenhamer, Mike McCabe, Patrick Cooley )to get insight as to what to anticipate at the conference, the unique qualities of an AppSec USA event, and a sneak peek at the sessions that will be given over the 4 day event.
Security as Part of Continuous Delivery with Sacha Labourey
August 18, 2016 22:51 - 17 minutes - 16.5 MBContinuing the theme of integrating security in DevOps processes, I spoke with Sacha Lebourey, CEO of Cloudbees, during a stop at CD Summit in London. As one of the main players in the software supply chain for DevOps, I was interested in Sacha's perspective on how automated security fit into that supply chain. We start the discussion with "What is continuous delivery" followed by the place for security in the modern developer environment. About Sacha Labourey Sacha was born in Neuchâtel, ...
Unicorns on an Aircraft Carrier: DevOps Security at Scale with Sanjeev Sharma
July 21, 2016 19:49 - 22 minutes - 21 MBSanjeev Sharma is a Distinguished Engineer at IBM. His main concern is how DevOps initiative scale in large enterprises. In this wide ranging discussion recorded during CD Summit in Stockholm, I talk with Sanjeev about DevOps adoption, how security will play a critical role in any automated, scalable solution and the transition of traditional IT operations to the role of service provider.
2016 State of the Software Supply Chain Report with Derek Weeks
July 11, 2016 05:24 - 16 minutes - 15 MBThe "State of the Software Supply Chain Report" featured in today's show is an industry report produced by Sonatype. In the spirit of full disclosure, Mark Miller is the Senior Storyteller and DevOps Advocate for Sonatype. That said, no products are mentioned, nothing is being sold. Sonatype is the steward of the Central Repository and has access to an incredible set of data. The information in the report relates directly to A9 within the OWASP Top 10: Using components with known vulnerabilit...
Security as Part of DevOps and Development with Jason Schmitt
July 06, 2016 16:04 - 28 minutes - 26 MBJason Schmitt's passion is to assure security is built into the development process, not just as a bolt-on add-on. His experience in various aspects of software security has led him on a path through mobile, application and cloud security. In our conversation, Jason talks about the value OWASP provides to the community as well as what he perceives as a critical time for the integration between DevOps and security. About Jason Schmitt Jason Schmitt is vice president and general manager of ...
2016 AppSecEU - Update On The ASVS Project with Andrew van der Stock
July 05, 2016 17:26 - 14 minutes - 13.1 MBThe Application Security Verification Standard Project is a Flagship project at OWASP. It provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development. I sat down with Andrew van der Stock at AppSecEU 2016 to get the most recent updates on the project and to gain an insight into future plans.
2016 AppSecEU - The University Challenge
July 01, 2016 02:38 - 11 minutes - 10.7 MBAt 2016 AppSecEU in Rome, five teams showed up for the University Challeng. I talked with the organizers of the challenge about the history of the project and two team leaders to see how the challenge was going and what value they were getting by participating in the contest.
Jim Manico's 100th Episode, featuring Mark Miller, Executive Producer of OWASP 24/7
June 29, 2016 00:56 - 38 minutes - 35.4 MBIn this episode, Jim Manico turns the tables on me for for his 100th podcast. He digs into my past, asks about my motivations for participating in OWASP, inquires on what I hope to accomplish through the series and how DevOps and security can be part of a single conversation when it comes to the software supply chain. Mark Miller is the Senior Storyteller and Developer Evangelist for Sonatype. He is the curator of TheNexus Community Project, while participating in DevOps and security confer...
AppSec Europe 2016 - What To Expect
May 25, 2016 01:06 - 11 minutes - 10.1 MBWhat can you expect when you attend AppSec EU 2016 in Rome at the end of June? I talk with Bart de Win and Matteo Meucci, conference chair, to see who is coming, why you should and what to expect when AppSec EU goes to one of the world's greatest cities. Registration is open: https://2016.appsec.eu/
Communication Patterns in Open Source Component Supply Chains
April 15, 2016 18:47 - 12 minutes - 11.2 MBTo understand more about communication patterns in open source supply chains, Dr. Gail Murphy and Dr. Marc Palyart undertook a study of 1,227 public projects hosted on GitHub. I spoke with Dr. Murphy about the project and what it means for open source developers trying to generate visibility and community around their project. About Dr. Gail Murphy Dr. Murphy is a leading researcher on software evolution and tools. She brings to Tasktop extensive experience as a software developer and princ...
Active Deception as a Methodology for Cybersecurity w/ Lawrence Pingree from Gartner
March 21, 2016 19:14 - 18 minutes - 17 MBLawrence Pingree and I were having a discussion in the press room at RSA Conference 2016. We talked about his work with Gartner, analyzing deception as part of cybersecurity. His voice was so passionate, I just had to turn on the recorder. I haven't heard many people talking about this subject, but it's intriguing to think about... more than honeypots, true deception. Have a listen. About Lawrence Pingree Lawrence Pingree has been an active member of the Information Security industry for ma...
DevOps, Security and Engineering at Slack
March 02, 2016 22:56 - 9 minutes - 8.51 MBLeigh Honeywell And Ari Rubenstein are Senior Staff Security Engineers at Slack. I saw Leigh on Wendy Nather's panel during RSA Conference 2016 and was interested in getting some insight into what's going on at Slack when it comes to DevOps. As luck would have it, Ari was in the audience, so we were able to step outside into the hallway and talk about how DevOps, security and engineering work together at Slack. About Leigh Honeywell Leigh reboots computers and makes hackerspaces. Leigh is a...
Security War Games with Sam Guckenheimer at Rugged DevOps RSAC 2016
February 29, 2016 03:18 - 22 minutes - 20.3 MBYou just have to accept it. The hackers are going to get in. The question is, what are you going to do once they are in? In preparation for Sam Guckenheimer's session at Rugged DevOps, RSA Conference 2016, I spoke with Sam about his work at Microsoft and how his team is working on Security War Games to keep things in check. About Sam Guckenheimer Sam Guckenheimer is Product Owner for the Microsoft Visual Studio Cloud Services, including VS Team Services and Team Foundation Server. He focuse...
Guns, Germs and Steel at RSAC 2016 with John Willis
February 26, 2016 17:07 - 14 minutes - 13 MBAfter John Willis' keynote session next week at Rugged DevOps during RSA Conference 2016, he says he's going to grab a front row seat because he's so excited about the line up. In this interview, I talk with John about his relationship with Josh Corman and how they started working together. We talk about security as part of the software supply chain, the part Docker plays in the reference architecture picture for enterprise DevOps and how the developer world has changed in the past 5 years. ...
Equal Respect: Women in Technology with Chenxi Wang
February 25, 2016 21:17 - 13 minutes - 12.5 MBChenxi Wang has had a diverse career in the technology industry, Before her current position as Chief Strategy Officer at Twistlock, she was Vice President, Cloud Security & Strategy at CipherCloud, Vice President, Strategy and Market Intelligence at Intel Security, and Vice President at Forrester Research. Along the way, she has worked on technology education initiatives and is currently at work on Equal Respect, a movement to stop the objectification of women in technology. In this inter...
DevOps: Politics, People and Process with Paula Thrasher
February 24, 2016 22:44 - 14 minutes - 13.4 MBI first met Paula Thrasher at DevOps Summit 2016 in San Francisco. Her message about people at the core of software supply chain processes resonated with me enough that I invited her to participate on a panel at RSA Conference 2016 in San Francisco on February 29. In the run up to the conference, I recorded this call with Paula about what it takes to facilitate a large scale DevOps project for the US Government. Her main concentration is in change management and how to deal with the intrica...
OWASP Top 10 Proactive Controls Project with Jim Manico and Katy Anton
February 09, 2016 17:31 - 21 minutes - 20.1 MBThe OWASP Top 10 Proactive Controls Project uses the OWASP Top 10 model as a way to encourage the community to participate in the building and maintenance of a Top 10 project aimed at developers. In this interview, I talk with Jim Manico and Katy Anton on the history of the project, how they anticipate it being utilized, and how they have worked with the community do decide the criteria for building the list of controls.
The OWASP WebGoat Project, version 7.0, with Bruce Mayhew
February 01, 2016 03:45 - 17 minutes - 15.6 MBThe WebGoat Project started 10 years ago and has had over 1,000,000 downloads. Version 7.0 is being released this week. I caught with Bruce Mayhew, project lead, to talk about the history of the project, what has been updated in version 7, and what he foresees as the future of this project. https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
Johanna Curiel on the Growing Pains of OWASP and Management of Project Reviews
January 27, 2016 02:43 - 26 minutes - 24.5 MBSeveral months ago Johanna Curiel figured she'd had enough and was ready to take a break from OWASP. Recently, she came back and is working tirelessly to revamp the Project Review initiative. I talked with Johanna about why she left, what has changed to make it enticing enough for her to return and what her vision is for the Project Review team in the coming year.
2016 - What's in Store for the OWASP 24/7 Podcast Series
January 21, 2016 19:31 - 4 minutes - 3.88 MBAs we move into 2016 and my second year as executive producer of OWASP 24/7, I want to give a quick overview of my objectives for the year and what you can expect from the series.
OWASP Shark Tank - Could You Convince Someone to Invest in Your Project?
November 25, 2015 00:21 - 24 minutes - 22.2 MBFunding of projects. Allocation of personal time. What does it take to get a project funded with limited resources? The OWASP NYC/NJ chapters are trying something new at the December 7th meeting: two projects will make pitches to a crowd of 300, with two angel investors in attendance. In this OWASP 24/7 broadcast, I talk with Tom Brennan, event organizer, and the two people who will be pitching their projects. Listen in to see if this is something you might want to do for your chapter or pr...
OWASP Application Security Verification Standard Project w/ Andrew van der Stock
October 01, 2015 15:49 - 8 minutes - 7.68 MBThe OWASP Application Security Verification Standard (ASVS) Project provides a basis for testing web application technical security controls. The primary aim of the OWASP ASVS Project is to normalize the range in the coverage and level of rigor available in the market when it comes to performing Web application security verification using a commercially-workable open standard. Project on OWASP https://www.owasp.org/index.php/Category:OWASP_Application_Security_Verification_Standard_Project
OWASP Benchmark Project w/ Dave Wichers
September 30, 2015 15:51 - 14 minutes - 13.6 MBThere's been a lot of discussion around the OWASP Benchmark Project since it's latest release. Jeff Williams wrote an article and then received a response from Chris Wysopal at Veracode. I was able to catch up with Dave Wichers, OWASP Project Lead, during AppSecUSA 2015 in San Francisco. I had Dave talk me through the project and what its intentions are. Resources: OWASP Benchmark Project https://www.owasp.org/index.php/Benchmark Why it's Insane to Trust Static Analysis http://www.darkreadi...
OWASP Security Shepherd Project w/ Mark Denihan and Paul McCann
September 29, 2015 15:15 - 13 minutes - 12.3 MBThe Security Shepherd Project is a mobile web application training platform for penetration testing. It covers the OWASP Top 10 risks from both the mobile and web projects. This recording was made at AppSecUSA 2015 during the Project Summit.
DevOps, Security and Development w/ Matt Tesauro, Shannon Lietz and Jez Humble
September 28, 2015 16:00 - 42 minutes - 39.2 MBWhen I was at AppSecUSA 2015 in San Francisco, I was standing in the hallway talking with Matt Tesauro, Shannon Lietz and Jez Humble. We decide that our discussion was interesting enough to continue, so we grab a room and just started talking. Heads up: There are basic audio problems with the recording, such as some background hiss and some high frequency whining (not from us, from the lights overhead!). It was an interesting discussion about real world scenarios that the three have seen in ...
OWASP Board Candidate Interview - Abbas Naderi, Michael Coates, Jonathan Carter
September 03, 2015 10:57 - 48 minutes - 44.8 MBPart of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Abbas Naderi, Michael Coates and Jonathan Carter.
OWASP Board Candidate Interview - Bil Corry and Josh Sokol
September 03, 2015 10:48 - 39 minutes - 36.5 MBPart of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Bil Corry and Josh Sokol.
OWASP Board Candidate Interview - Milton Smith, Tobias Gondrom, Tom Brennan
September 03, 2015 10:36 - 43 minutes - 39.5 MBPart of a three part series of interviews talking with OWASP board candidates for 2015. This segment includes candidates Milton Smith, Tobias Gondrom and Tom Brennan.
OWASP Security Knowledge Framework Project w/ Glenn Ten Cate
July 27, 2015 15:40 - 23 minutes - 21.8 MBWith over 20,000 downloads within it's first two months of release, the Security Knowledge Framework Projects seems to have hit a resonant chord with the OWASP community. Glenn Ten Cate and his brother Riccardo created the project as a tool that is used as a guide for building and verifying secure software. It can also be used to train developers about application security. The OWASP Security Knowledge Framework is an expert system web-application that uses the OWASP Application Security Ve...
OWASP Summer of Code Sprint 2015 with Fabio Cerullo
July 15, 2015 18:16 - 21 minutes - 19.3 MBWith the OWASP Summer of Code Sprint 2015 in full swing, OWASP 24/7 caught up with project lead Fabio Cerrulo to see what the future of the project looks like and what to expect from the current sprint.
OWASP Project Funding Part 2 w/ Johanna Curiel and Claudia Casanovas
July 02, 2015 20:47 - 50 minutes - 46.6 MBIn part two of our open discussion on project funding for OWASP projects, I talk with Johanna Curiel, Project Review Team Leader, and Claudia Casanovas, the newly appointed Project Coordinator. In this broadcast, we explore the roadblocks to getting OWASP project funding, discuss how to create a better process for requesting funds, and talk about historical examples of how the current process has, and has not, worked.
OWASP Project Funding w/ Josh Sokol, Dinis Cruz and Andrew van der Stock
June 29, 2015 18:28 - 47 minutes - 43.8 MBHow do projects get funded at OWASP? Who should have access to those funds? What is the history of projects being funded at OWASP? In this wide ranging discussion we talk with Andrew van der Stock, Dinis Cruz and Josh Sokol about access to funds for project leads and the perceived difficulty of getting funding.
The OWASP Online Academy with John Patrick Lita and Jerry Hoff
June 25, 2015 15:51 - 18 minutes - 16.5 MBJohn Patrick Lita has been working on the OWASP Online Academy since February. He plans to release it to the community within the next month. In this conversation, we talk with John about his plans for the project. Joining us is Jerry Hoff, one of the first content contributors to the Online Academy. https://www.owasp.org/index.php/OWASP_Online_Academy
AppSec USA 2015 Overview with Ben Hagen and Michael Coates
June 24, 2015 20:58 - 18 minutes - 17.2 MBThis year's AppSec USA Conference will be held in San Francisco, September 22 - 25. I spoke with Ben Hagen and Michael Coates, organizers of the event, to see how the planning is going and what will be special about this event. https://2015.appsecusa.org/
Paul Ritchie, Executive Director, Talks Present, Past and Future of OWASP
May 28, 2015 20:06 - 22 minutes - 20.1 MBPaul Richie has been executive director of OWASP since July of 2014. In our talk, I get Paul's perspective on the best ways for chapters to utilize OWASP resources and what he sees in the near future for OWASP.
OWASP Offensive Web Testing Framework with Bharadwaj Machiraju and Abraham Aranguren
April 15, 2015 17:14 - 20 minutes - 18.3 MBIn this segment, we talk with the co-coordinators of the OWASP OWTF Project. The aim of the project is to make security assessments as efficient as possible by automating the manual, uncreative part of pen testing.
Tobias Gondrom on the OWASP Strategic Goals for 2015
April 03, 2015 17:39 - 23 minutes - 21.3 MBIn this segment of OWASP 24/7, I speak with Tobias Gondrom on the strategic goals for OWASP in 2015.
2015 AppSecEU Pre Conference Update
March 31, 2015 17:40 - 19 minutes - 18 MBIn this broadcast, we talk with the organizing committee from AppSecEU 2015 to see what they've been working on and what you can expect when you go to the conference in Amsterdam this May.
OWASP Project Reviews with Johanna Curiel
February 25, 2015 21:25 - 20 minutes - 19.1 MBJohanna Curiel is the wizard behind the curtain that manages the evaluation of OWASP projects. In this wide ranging discussion, I talk with Johanna about the criteria for project evaluation, how projects become "Flagship" status and what it takes to run a project of this size. About Johanna Curiel Johanna Curiel is a security engineer and developer of financial tools for Algorithmic Trading software. She workson multiple open source initiatives such as Owasp, Openbloomberg, Algorithmic Trad...
2015 OWASP Project Summit in NYC with Tom Brennan
February 24, 2015 16:11 - 10 minutes - 9.66 MBI caught up with Tom Brennan, coordinator of the 2015 OWASP Project Summit in New York City to hear what he has in store for the 2 day event. http://www.meetup.com/OWASP-NYC/
Seba Deleersnyder Discusses SAMM (Software Assurance Maturity Model) Summit in Dublin, Ireland
February 19, 2015 22:35 - 17 minutes - 16.4 MBThe first SAMM (Software Assurance Maturity Model) will be held in Dublin, Ireland on March 27 - 28, 2015. I spoke with Seba Deleersnyder, co-ordinator of the summit to find out his goals for the SAMM project as well as the his hopes for the summit. About Seba Deleersnyder As security project leader, application security specialist, trainer and trusted advisor for our customers, I have a track record of delivering information security projects. I specialise in Web & Mobile Application Securi...
2015 AppSec California Post Mortem with Richard Greenberg and Neil Matatall
February 17, 2015 18:39 - 25 minutes - 22.9 MBWhat does it take to put on a successful conference? How much work is involved? In this segment, I sit down with Neil Matatall and Richard Greenberg, co-organizers of AppSec California 2015. We talk about how they came up with the idea and what resources were needed to pull off such a successful event. About Richard Greenberg Richard Greenberg, CISSP, a recognized leader in Information Security, is President of the Los Angeles Chapter of OWASP. His day job is Information Security Officer fo...
John Melton and the OWASP AppSensor Project
February 13, 2015 17:10 - 18 minutes - 17.4 MBThe OWASP AppSensor Project has just released version 2.0. In this broadcast we speak with John Melton, project code lead, on the latest features in the release and what the future looks like for the project. About John Melton John is one of the co-leaders for the OWASP AppSensor project and leads the software implementation. For his day job, he is a principal security researcher for WhiteHat Security, working in the SAST space. His background is in software and security engineering.
Moxie Marlinspike on Open Source Security for Mobile Devices
January 05, 2015 14:51 - 43 minutes - 39.9 MBMoxie Marlinspike is the founder of Open Whisper Systems which is both a large community of Open Source contributors, as well as a small team of dedicated developers. Together, the members of Open Whisper Systems is working to advance the state of the art for secure communication, while simultaneously making it easy for everyone to use. Moxie works on secure protocols, Android clients, and server software. He has been contributing to Open Whisper Systems since it was Whisper Systems, forme...
Dibbe Edwards - DevOps and Open Source at IBM
December 11, 2014 21:36 - 30 minutes - 27.6 MBAt the IBM DevOps Symposium I watched as Dibbe Edwards enthralled the audience as she explained how IBM has instituted DevOps and Agile throughout the development cycle. In some cases the results are nearly unbelievable, such as reducing Overall Time to Development from 120 days down to 3 days. I wanted to hear more about how she could create such startling results, so I gave her a call. About Dibbe Edwards Dibbe Edwards is Vice President, IBM Rational DevOps Capabilities Development respo...
The WebGoat Project with Rick Lawson and Jason White
November 05, 2014 17:21 - 14 minutes - 13.5 MBThe WebGoat Project has developed a free online tool used to test and uncover application flaws that might otherwise go unnoticed. In this episode of OWASP 24/7, we talk with two of the WebGoat team members, Rick Lawson and Jason White, about how WebGoat is being used and future plans. More about WebGoat WebGoat for J2EE is written in Java and therefore installs on any platform with a Java virtual machine. There are installation programs for Linux, OS X Tiger and Windows. Once deployed, the...
Kevin E. Greene on OWASP and the SWAMP Project
October 17, 2014 16:29 - 26 minutes - 24.7 MBDuring a meeting at AppSec USA 2014 in Denver, the SWAMP team presented its case for working with OWASP to support a marketplace for security tools. I sat down with Kevin E. Greene from DHS S&T, Cybersecurity Division to talk about what SWAMP is an how OWASP and its various projects might become involved. About Kevin E. Greene Software Assurance Program Manager responsible for oversight and management of research and development projects focused on improving the testing, analysis, and eval...
AppSec USA 2014, Denver - Damon Edwards, Matt Tesauro, Eoin Keary, Martin Knobloch
September 19, 2014 20:47 - 13 minutes - 11.9 MBI was able to get a quick update from Damon, Matt, Eoin and Martin this week at AppSec USA 2014 Denver. They each have a different perspective on what is going with OWASP in different parts of the world. Have a listen...
OWASP Board Candidate Interviews - Mateo Martinez
September 19, 2014 11:45 - 17 minutes - 15.7 MBWith the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come "face-to-face" with prospective board members. In this session, we talk with Mateo Martinez. (Please note: This interview was done over the net with a connection from New York City to Montevideo, Uruguay. In some places, there is considerable static.)
OWASP Board Candidate Interviews - Jim Manico, Timur Khrotko
September 16, 2014 12:48 - 36 minutes - 33.2 MBWith the OWASP board elections of 2014 upon us, we are doing a series of interviews so that you can come "face-to-face" with prospective board members. In this session, we talk with Jim Manico and Timur Khrotko.